Turn Digital Objects Into Passwords

At the recent USENIX conference, two researchers presented a new way to generate high entropy passwords using common objects, such as text and images.

PhD student Mohammad Mannan and Professor P.C. van Oorschot, both of the Carleton University in Canada, call their new technique Object-based Passwords (or ObPwd for short). The technique centers selecting an object - for example, either text or an image - which is then used to generate a complex password. The duo think that such a tactic might be useful because most people have access to a large amount of digital media and that using ObPwd makes remembering complex passwords much easier.

"Instead of requiring users to memorize an exact password, ObPwd only requires one to remember a hint or pointer to the password object used," the men wrote in their related white paper.

To demonstrate the technique in use the researchers created a Firefox add-on that lets the user select a series of text or an image and then click a menu item to generate an associated password. As long as the exact text is chosen each time, the generated password is always the same, thereby making it simpler to regain access to the complex password when required.

The team also created a Windows desktop application that demonstrates the same concept. The underlying technology for both demonstration programs currently uses SHA-1 to create a hash from the selected object and PswHash to create a 12-character password string.

ObPwd's password generation technique might be useful when passwords need to be shared. "Sharing of passwords in most graphical schemes is awkward if not impossible," wrote Mannan and van Oorschot.

"ObPwd may enable better password sharing than text and graphical schemes without sacrificing confidentiality to third parties. For example, if two users share a digital photo folder then one user can choose a specific image as the password object and send the other user a hint or description of the image (e.g., "our whitewater kayaking photo") over public media or email. Now an eavesdropper can see the hint but cannot generate the shared password without having access to the image object itself," the two men concluded.

John Savill's Hyper-V Master Class

Join John Savill for 12 hours of comprehensive Hyper-V training. This master-level online training course will explore all the key aspects of a Hyper-V based virtualization environment covering both current capabilities in Windows Server 2012 R2 and looking at the future with Windows Server vNext.